[Snort-devel] Output plugin like Unixsock for W32

Dr. Richard W. Tibbs tewg at ...1280...
Fri Apr 19 09:39:11 EDT 2002


In fact, I began (and completed ) such a feature in snort 1.8.4 in  a 
Win2000 environement. Just did this locally to allow some snorting on my 
Win2K box. It works by using the  loopback Ip addr.  Pretty simple only 
 a few lines of code.
I have meant to propose doing it in 1.9 to the devel list, but I noticed 
a lot of MS visual C++ project issues on the list, and was waiting for 
things to settle down. Looks like they have, and
I would like to re-up on my offer.

THere are a few design decisions for a general feature such as this. 
Here is an email I sent (off-list) a couple of weeks back. Maybe this 
can rekindle discussion:

There are a few design decisions we should consider for 1.9.
For example:
1) As Fyodor noted, we could offer the loopback socket (-A lbsock ?) 
feature independently of -A unsock. On *nix, both would work; on win2k 
only lbsock.  So we would need an extra -A parm recognized. That would 
be reasonably easy, but would take some more coding. Otherwise, as it 
currently stands -A unsock activates a true Unix socket 
(AF_UNIX,SOCK_DGRAM) on *nix platforms, or an AF_INET,SOCK_DGRAM socket 
on w2k. Might seem confusing, but documentation could certainly take 
care of clarifying it, if a new command line option is to be avoided.

2) In order to prevent snort from sniffing its own socket packets (when 
loopback routes to HOME_NET, or whatever iface snort is sniffing), there 
 needs to be a rule in snort.conf (or induced upon cmd option -A unsock) 
like:
var LOOP_BACK 127.0.0.1
var SOCK_PORT 46070      # same port as defined in snort.h
pass udp $LOOP_BACK $SOCK_PORT -> $LOOP_BACK $SOCK_PORT
....
Does such a rule create any IDS issues?

AFN. >>RWT

Spacefox wrote:

>Hello !
>
>Does anyone knows if a plugin like unixsock has been coded in the
>W32 environment ? I want to make a client/server application to get
>snort informations with a remote host... This plugin would output everything
>(alerts, connexions, packets etc...).
>
>Thanks in advance.
>
>Spacefox
>Pack X Crew
>http://www.packx.net
>
>
>
> 
>______________________________________________________________________________
>ifrance.com, l'email gratuit le plus complet de l'Internet !
>vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
>http://www.ifrance.com/_reloc/email.emailif
>
>
>
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>






More information about the Snort-devel mailing list